Bug 1274120

Summary: CVE-2015-4840 and LCMS 2
Product: Red Hat Enterprise Linux 7 Reporter: Andrew John Hughes <ahughes>
Component: lcms2Assignee: Richard Hughes <rhughes>
Status: CLOSED WONTFIX QA Contact: Desktop QE <desktop-qa-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: mclasen
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-02-24 18:50:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1273338    

Description Andrew John Hughes 2015-10-22 02:37:03 UTC 
As part of the October 20th security update for the OpenJDK packages, the following patch for CVE-2015-4840 was included, which patches the build of OpenJDK's local copy of LCMS 2 to add  -DCMS_DONT_USE_FAST_FLOOR to the CFLAGS.

http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/77d48e6d111f

On RHEL 7, OpenJDK was using the system copy of LCMS 2 instead, but we switched back to the in-tree version in order to incorporate this change. We appreciate it if the system version could also be built with this flag. It swaps a rather hacky floor implementation (writing to one member of a union then reading from another) for a call to the C library's floor function.

The RHEL bug for the security issue is bug 1273338.